Merge branch 'master' into feat/zombie-on-policy-fail

Author: edsonmichaque

.github/workflows/jira-pr-validator.yaml

@@ -17,4 +17,5 @@ jobs:
         uses: TykTechnologies/jira-linter@38a9cabef56171c4e52ea698fa7be3db5fca3a49  # main
         with:
           jira-base-url: 'https://tyktech.atlassian.net'
+          jira-user-email: ${{ secrets.JIRA_USER_EMAIL }}
           jira-api-token: ${{ secrets.JIRA_TOKEN }}

.github/workflows/plugin-compiler-build.yml

@@ -26,8 +26,11 @@ jobs:
 
   docker-build:
     needs: [dep-guard]
+    if: |
+      !cancelled() &&
+      (needs.dep-guard.result == 'success' || needs.dep-guard.result == 'skipped') &&
+      !github.event.pull_request.draft
     runs-on: ubuntu-latest
-    if: ${{ !github.event.pull_request.draft }}
     permissions:
       id-token: write
     steps:

.github/workflows/release.yml

@@ -16,6 +16,7 @@ on:
   schedule:
     - cron: "0 0 * * 1"
   pull_request:
+    types: [opened, synchronize, reopened, labeled]
   push:
     branches:
       - master
@@ -391,8 +392,11 @@ jobs:
             !dist/*PAYG*.rpm
             !dist/*fips*.rpm
   resolve-dashboard-image:
-    if: github.event.pull_request.draft == false
     needs: goreleaser
+    if: |
+      !cancelled() &&
+      needs.goreleaser.result == 'success' &&
+      github.event.pull_request.draft == false
     runs-on: ${{ vars.DEFAULT_RUNNER }}
     permissions:
       id-token: write
@@ -407,6 +411,7 @@ jobs:
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Check for relevant package changes in PR
         id: check_changes
@@ -516,6 +521,7 @@ jobs:
           COMMIT_SHA: ${{ github.sha }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           HAS_RELEVANT_CHANGES: ${{ steps.check_changes.outputs.has_relevant_changes }}
+          ORG_GH_TOKEN: ${{ secrets.ORG_GH_TOKEN }}
         run: |
           echo "=================================="
           echo "📊 Dashboard Image Resolution"
@@ -530,14 +536,23 @@ jobs:
           echo "Has relevant changes in PR: $HAS_RELEVANT_CHANGES"
           echo "=================================="
 
-          # Only use custom build strategies for PRs targeting master
+          # For non-master base branches, check if the same branch exists in tyk-analytics
           if [ "$BASE_REF" != "master" ]; then
-            echo "ℹ️ Strategy: Use gromit default (base branch is not master)"
-            echo "    → Custom builds only for master branch PRs"
-            echo "dashboard_image=" >> $GITHUB_OUTPUT
-            echo "needs_build=false" >> $GITHUB_OUTPUT
-            echo "dashboard_branch=" >> $GITHUB_OUTPUT
-            echo "strategy=gromit-default" >> $GITHUB_OUTPUT
+            if git ls-remote --exit-code --heads "https://x-access-token:${ORG_GH_TOKEN}@github.com/TykTechnologies/tyk-analytics.git" "refs/heads/$BASE_REF" > /dev/null 2>&1; then
+              echo "📋 Strategy: Use release branch '$BASE_REF' from tyk-analytics"
+              echo "    → Base branch exists in tyk-analytics, using it directly"
+              echo "dashboard_image=${REGISTRY}/tyk-analytics:${BASE_REF}" >> $GITHUB_OUTPUT
+              echo "needs_build=false" >> $GITHUB_OUTPUT
+              echo "dashboard_branch=$BASE_REF" >> $GITHUB_OUTPUT
+              echo "strategy=release-branch-match" >> $GITHUB_OUTPUT
+            else
+              echo "ℹ️ Strategy: Use gromit default (base branch '$BASE_REF' not found in tyk-analytics)"
+              echo "    → Falling back to gromit default"
+              echo "dashboard_image=" >> $GITHUB_OUTPUT
+              echo "needs_build=false" >> $GITHUB_OUTPUT
+              echo "dashboard_branch=" >> $GITHUB_OUTPUT
+              echo "strategy=gromit-default" >> $GITHUB_OUTPUT
+            fi
 
           # Strategy 1: Matching branch exists in tyk-analytics → use gromit
           elif [ "$BRANCH_EXISTS" = "true" ]; then
@@ -582,8 +597,11 @@ jobs:
           echo "✅ Resolution complete"
           echo "=================================="
   build-dashboard-image:
-    if: needs.resolve-dashboard-image.outputs.needs_build == 'true'
     needs: resolve-dashboard-image
+    if: |
+      !cancelled() &&
+      needs.resolve-dashboard-image.result == 'success' &&
+      needs.resolve-dashboard-image.outputs.needs_build == 'true'
     runs-on: ${{ vars.DEFAULT_RUNNER }}
     permissions:
       id-token: write
@@ -762,9 +780,12 @@ jobs:
           echo "image=$IMAGE" >> $GITHUB_OUTPUT
           echo "✅ Dashboard image built and pushed: $IMAGE"
   test-controller-api:
-    if: github.event.pull_request.draft == false
     needs:
       - goreleaser
+    if: |
+      !cancelled() &&
+      needs.goreleaser.result == 'success' &&
+      github.event.pull_request.draft == false
     runs-on: ${{ vars.DEFAULT_RUNNER }}
     outputs:
       envfiles: ${{ steps.params.outputs.envfiles }}
@@ -784,9 +805,9 @@ jobs:
       - goreleaser
       - resolve-dashboard-image
       - build-dashboard-image
-    # build-dashboard-image may be skipped, so use if: always() to run regardless
+    # build-dashboard-image may be skipped, so use !cancelled() to run regardless
     if: |
-      always() &&
+      !cancelled() &&
       needs.test-controller-api.result == 'success' &&
       needs.goreleaser.result == 'success' &&
       needs.resolve-dashboard-image.result == 'success' &&
@@ -862,7 +883,7 @@ jobs:
     name: Aggregated CI Status
     runs-on: ${{ vars.DEFAULT_RUNNER }}
     # Dynamically determine which jobs to depend on based on repository configuration
-    needs: [goreleaser, api-tests]
+    needs: [goreleaser, api-tests, dep-guard]
     if: ${{ always() && github.event_name == 'pull_request' }}
     steps:
       - name: Aggregate results
@@ -889,9 +910,12 @@ jobs:
 
           echo "✅ All required jobs succeeded"
   test-controller-distros:
-    if: github.event.pull_request.draft == false
     needs:
       - goreleaser
+    if: |
+      !cancelled() &&
+      needs.goreleaser.result == 'success' &&
+      github.event.pull_request.draft == false
     runs-on: ${{ vars.DEFAULT_RUNNER }}
     outputs:
       deb: ${{ steps.params.outputs.deb }}
@@ -916,6 +940,9 @@ jobs:
     runs-on: ${{ vars.DEFAULT_RUNNER }}
     needs:
       - test-controller-distros
+    if: |
+      !cancelled() &&
+      needs.test-controller-distros.result == 'success'
     strategy:
       fail-fast: true
       matrix:
@@ -975,6 +1002,9 @@ jobs:
     runs-on: ${{ vars.DEFAULT_RUNNER }}
     needs:
       - test-controller-distros
+    if: |
+      !cancelled() &&
+      needs.test-controller-distros.result == 'success'
     strategy:
       fail-fast: true
       matrix:
@@ -1028,6 +1058,9 @@ jobs:
   release-tests:
     needs:
       - goreleaser
+    if: |
+      !cancelled() &&
+      needs.goreleaser.result == 'success'
     permissions:
       id-token: write # This is required for requesting the JWT
       contents: read # This is required for actions/checkout
@@ -1036,6 +1069,9 @@ jobs:
     secrets: inherit
   sbom:
     needs: goreleaser
+    if: |
+      !cancelled() &&
+      needs.goreleaser.result == 'success'
     uses: TykTechnologies/github-actions/.github/workflows/sbom.yaml@42304edda365365e0a887cf018d8edc34b960b82 # main
     secrets:
       DEPDASH_URL: ${{ secrets.DEPDASH_URL }}

apidef/mcp/validator_test.go

@@ -422,7 +422,7 @@ func TestGetMCPSchema(t *testing.T) {
 	t.Run("return error when requested version is not of semver", func(t *testing.T) {
 		reqOASVersion := "a.0.3"
 		_, err = GetMCPSchema(reqOASVersion)
-		expectedErr := fmt.Errorf("Malformed version: %s", reqOASVersion)
+		expectedErr := fmt.Errorf("malformed version: %s", reqOASVersion)
 		assert.Equal(t, expectedErr, err)
 	})
 

apidef/oas/validator_test.go

@@ -411,7 +411,7 @@ func TestGetOASSchema(t *testing.T) {
 	t.Run("return error when requested version is not of semver", func(t *testing.T) {
 		reqOASVersion := "a.0.3"
 		_, err = GetOASSchema(reqOASVersion)
-		expectedErr := fmt.Errorf("Malformed version: %s", reqOASVersion)
+		expectedErr := fmt.Errorf("malformed version: %s", reqOASVersion)
 		assert.Equal(t, expectedErr, err)
 	})
 

apidef/streams/validator_test.go

@@ -298,7 +298,7 @@ func TestGetOASSchema(t *testing.T) {
 	t.Run("return error when requested version is not of semver", func(t *testing.T) {
 		reqOASVersion := "a.0.3"
 		_, err = GetOASSchema(reqOASVersion)
-		expectedErr := fmt.Errorf("Malformed version: %s", reqOASVersion)
+		expectedErr := fmt.Errorf("malformed version: %s", reqOASVersion)
 		assert.Equal(t, expectedErr, err)
 	})
 

gateway/external_services_e2e_test.go

@@ -538,3 +538,63 @@ func TestE2E_CompleteAPIFlowWithExternalServices(t *testing.T) {
 	assert.Equal(t, 30*time.Second, webhookClient.Timeout)
 	assert.Equal(t, 10*time.Second, healthClient.Timeout)
 }
+
+func TestE2E_VaultHotReload(t *testing.T) {
+	vaultData := map[string]string{
+		"cert_file": "/initial/cert.pem",
+		"key_file":  "/initial/key.pem",
+		"ca_file":   "/initial/ca.pem",
+	}
+
+	mockVault := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		response := map[string]interface{}{
+			"data": map[string]interface{}{
+				"data": map[string]interface{}{
+					"cert_file": vaultData["cert_file"],
+					"key_file":  vaultData["key_file"],
+					"ca_file":   vaultData["ca_file"],
+				},
+			},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		require.NoError(t, json.NewEncoder(w).Encode(response))
+	}))
+	defer mockVault.Close()
+
+	ts := StartTest(func(globalConf *config.Config) {
+		globalConf.KV.Vault = config.VaultConfig{
+			Address:   mockVault.URL,
+			Token:     "test-token",
+			KVVersion: 2,
+		}
+		globalConf.ExternalServices = config.ExternalServiceConfig{
+			OAuth: config.ServiceConfig{
+				MTLS: config.MTLSConfig{
+					Enabled:  true,
+					CertFile: "vault://secret/oauth.cert_file",
+					KeyFile:  "vault://secret/oauth.key_file",
+					CAFile:   "vault://secret/oauth.ca_file",
+				},
+			},
+		}
+	})
+	defer ts.Close()
+
+	require.NoError(t, ts.Gw.afterConfSetup())
+
+	conf := ts.Gw.GetConfig()
+	assert.Equal(t, "/initial/cert.pem", conf.ExternalServices.OAuth.MTLS.CertFile)
+	assert.Equal(t, "/initial/key.pem", conf.ExternalServices.OAuth.MTLS.KeyFile)
+	assert.Equal(t, "/initial/ca.pem", conf.ExternalServices.OAuth.MTLS.CAFile)
+
+	vaultData["cert_file"] = "/updated/cert.pem"
+	vaultData["key_file"] = "/updated/key.pem"
+	vaultData["ca_file"] = "/updated/ca.pem"
+
+	ts.Gw.DoReload()
+
+	conf = ts.Gw.GetConfig()
+	assert.Equal(t, "/updated/cert.pem", conf.ExternalServices.OAuth.MTLS.CertFile)
+	assert.Equal(t, "/updated/key.pem", conf.ExternalServices.OAuth.MTLS.KeyFile)
+	assert.Equal(t, "/updated/ca.pem", conf.ExternalServices.OAuth.MTLS.CAFile)
+}

gateway/mw_certificate_check.go

@@ -6,12 +6,9 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/sirupsen/logrus"
-
 	"github.com/TykTechnologies/tyk/certs"
 	"github.com/TykTechnologies/tyk/internal/certcheck"
 	"github.com/TykTechnologies/tyk/internal/crypto"
-	"github.com/TykTechnologies/tyk/pkg/errpack"
 	"github.com/TykTechnologies/tyk/storage"
 )
 
@@ -114,11 +111,6 @@ func (m *CertificateCheckMW) ProcessRequest(w http.ResponseWriter, r *http.Reque
 		certIDs := append(m.Spec.ClientCertificates, m.Spec.GlobalConfig.Security.Certificates.API...)
 		apiCerts := m.Gw.CertificateManager.List(certIDs, certs.CertificatePublic)
 		if err := crypto.ValidateRequestCerts(r, apiCerts); err != nil {
-			log.
-				WithField("api_id", m.Spec.APIID).
-				WithField("api_name", m.Spec.Name).
-				WithField("mw", m.Name()).
-				Log(errpack.LogLevel(err, logrus.WarnLevel), "Certificate validation failed: ", err)
 			m.batchCertificatesExpirationCheck(apiCerts)
 			return err, http.StatusForbidden
 		}

gateway/mw_jsonrpc_access_control.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/TykTechnologies/tyk/internal/httpctx"
+	"github.com/TykTechnologies/tyk/internal/mcp"
 	"github.com/TykTechnologies/tyk/internal/middleware"
 )
 
@@ -53,7 +54,7 @@ func (m *JSONRPCAccessControlMiddleware) ProcessRequest(w http.ResponseWriter, r
 		return nil, http.StatusOK
 	}
 
-	if checkAccessControlRules(accessDef.JSONRPCMethodsAccessRights, state.Method) {
+	if mcp.CheckAccessControlRules(accessDef.JSONRPCMethodsAccessRights, state.Method) {
 		writeJSONRPCAccessDenied(w, r, fmt.Sprintf("method '%s' is not available", state.Method))
 		return nil, middleware.StatusRespond
 	}

gateway/mw_jsonrpc_helpers.go

@@ -5,48 +5,8 @@ import (
 
 	"github.com/TykTechnologies/tyk/internal/httpctx"
 	jsonrpcerrors "github.com/TykTechnologies/tyk/internal/jsonrpc/errors"
-	"github.com/TykTechnologies/tyk/regexp"
-	"github.com/TykTechnologies/tyk/user"
 )
 
-// checkAccessControlRules evaluates allow/block lists against a name.
-// Returns true if the name is denied, false if permitted.
-//
-// Evaluation order:
-//  1. Blocked is checked first — if matched, the request is denied.
-//  2. If Allowed is non-empty and the name does not match any entry, the request is denied.
-//  3. If both lists are empty, access is permitted.
-func checkAccessControlRules(rules user.AccessControlRules, name string) bool {
-	for _, pattern := range rules.Blocked {
-		if matchPattern(pattern, name) {
-			return true
-		}
-	}
-
-	if len(rules.Allowed) == 0 {
-		return false
-	}
-
-	for _, pattern := range rules.Allowed {
-		if matchPattern(pattern, name) {
-			return false
-		}
-	}
-
-	return true
-}
-
-// matchPattern tests name against a regex pattern anchored with ^...$, enforcing full-match semantics.
-// Uses the tyk/regexp package which caches compiled patterns.
-// Falls back to exact-string comparison if the pattern is not valid regex.
-func matchPattern(pattern, name string) bool {
-	re, err := regexp.Compile("^(?:" + pattern + ")$")
-	if err != nil {
-		return pattern == name
-	}
-	return re.MatchString(name)
-}
-
 // writeJSONRPCAccessDenied writes a JSON-RPC 2.0 error response for access-denied cases.
 // Delegates to jsonrpcerrors.WriteJSONRPCError for consistent response shape and HTTP→JSON-RPC
 // error code mapping across all error paths in the gateway.